Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign–on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Get affordable, high-performance disaster recovery. We protect your workloads and help you meet or exceed RPOs and RTOs of an hour or less, with mirroring-like performance at a price point approaching tape.

Overview

Novell made some changes between UserApp 3.5.1 and UserApp 3.6.x in how SSO can be achieved with NAM (Novell Access Manager).

This document assumes that you are using the User Application 3.6.1 (we are using the NON-Provisioning module which means that 3.6.1 is the highest version we can use. There is no 3.7 version with NON-Provisioning and version 4.0 is not shipping as of the date of this document).

This document also assumes that you are using NAM 3.1.1 or higher (I’m not sure if NAM 3.1 is even required, but the screen options are different than NAM 3.0).

For the purpose of this, we are assuming that the name of the User Application server is called: userapp.abc.com and is running on SLES 10 SP2 or higher with Jboss that is included with UserApp. We also assume you are using the expired password feature of NAM to redirect to the ChangePassword.jsf on UserApp (rather than the “forgotpassword” of UserApp)

Since UserApp requires eDirectory, our User Source in NAM is also assumed to be eDirectory.

This also ASSUMES that when you created your IDP cluster, that you used a user with ADMIN rights to the eDirectory tree so that it could extend the Schema for SAML. If you do did not, I will include the steps to do that after the fact.

UserApp 3.6.1

First, make sure that you apply patch C for User App 3.6.1 If you don’t, then the changepassword.jsf doesn’t work properly (if you are redirecting your “expired password” URL in NAM to the ChangePassword.jsf). Otherwise, this assumes a standard install of UserApp 3.6.1 with the included MySQL and Jboss on port 8080. Since we are front-ending the server with NAM, we can setup SSL on port 443 for our Reverse Proxy in our LAG configuration.

NAM 3.1.1

This assumes that you are using NAM 3.1.1 or higher and that you are using the Linux Access Gateway (LAG). I don’t know if this works with the Netware Access Gateway (NAG). We are also using a DNS-based multi-homing environment, although that shouldn’t matter too much, but our Proxy Service configuration is based upon this.

IDP Policy Configuration – SAML

Create another new policy. Call it whatever you want, but here’s mine below:

IDP Cluster Configuration for SAML with eDirectory

If, like me, you did not use an “admin” user for your IDP configuration, it did not extend the Schema properly for SAML. To fix this, login to your Admin Console, find your IDP Cluster (I’m assuming you are using an IDP cluster) and edit it.

TEMPORARILY change the “admin name” to be either the admin user or a user with rights to extend the schema. Obviously enter the correct password. THEN, make certain to CHECK THE BOX for “Install NMAS SAML method”

Click Apply and OK and update your configs. Wait a little bit and it should extend the eDir schema. To verify that you have a SAML method, you can use iManager.

Once logged into iManager, select the NMAS -> NMAS Login Methods role

On the right-hand side, find the SAML Assertion object (you should have one)

Click the Affiliates tab

You’ll see something like:

SCCotpbt3 (the name will vary)

If this is your FIRST and only IDP cluster, you should only have one of these and if you select it, you’ll notice that the Provider ID will be something like:

cn=SCCotpbt3,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell

Obviously the key item is the “accessManagerContainer”

Once you’ve verified this, you can re-edit your IDP configuration and change the userid/password BACK to what you had before and UNCHECK the “Install NMAS SAML method”.

I created one called “everything” (you can call it “All”, it doesn’t really matter). The PATH will be defined as /*

Now, it’s up to you if you wish to define an authorization policy or not. We DO define an authorization policy because we don’t want just anyone being able to browse the web server unless they authenticate.

We also chose to define an Authentication tab policy as well (again, we don’t want just anyone being able to look at stuff).

For the Identity Injection tab, select the two IDP policies you created previously:

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.